Eggstravaganza
First Flight #37
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Unsafe Use of delete in NFT Withdrawal Function (EggVault)

codeaudit0x1

Summary

The withdrawEgg() function is responsible for safely transferring an NFT back to the original depositor and clearing its record from the vault. However, it uses the delete keyword to reset the depositor mapping, which has unintended side effects. Specifically, it resets the address to the zero address (0x000...000), which could lead to misleading data, unexpected behavior, or even subtle bugs in the game’s logic.

Vulnerability Details

The withdrawEgg function looks like this:

/// @notice Allows the depositor to withdraw their egg from the vault.
function withdrawEgg(uint256 tokenId) public {
require(storedEggs[tokenId], "Egg not in vault");
require(eggDepositors[tokenId] == msg.sender, "Not the original depositor");
storedEggs[tokenId] = false;
@> delete eggDepositors[tokenId];
eggNFT.transferFrom(address(this), msg.sender, tokenId);
emit EggWithdrawn(msg.sender, tokenId);
}

Using delete in Solidity sets the mapping value back to the default — in this case, address(0). While it seems like the right way to clean up storage, it can give a false impression that the token was never deposited or that the zero address was the depositor.

Impact

  • Players might think the egg was never deposited or was deposited by 0x0.

  • Game admins or analytics can’t trace who originally deposited an egg.

Tools Used

Manual inspection

Recommendations

Instead of deleting the address entirely, store a special status or mark that it's withdrawn.

Updates

Lead Judging Commences

m3dython Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.